x-fidelity 2.12.1 → 2.13.1

package/CHANGELOG.md

@@ -1,3 +1,26 @@
+## [2.13.1](https://github.com/zotoio/x-fidelity/compare/v2.13.0...v2.13.1) (2024-08-28)
+
+
+### Bug Fixes
+
+* **schema:** relax for fix ([ee5e123](https://github.com/zotoio/x-fidelity/commit/ee5e12350cef95dcdcbe3e4930b1ca6f5a9b4609))
+
+# [2.13.0](https://github.com/zotoio/x-fidelity/compare/v2.12.1...v2.13.0) (2024-08-28)
+
+
+### Bug Fixes
+
+* add readonly constraint to archetypeSchema ([c74d116](https://github.com/zotoio/x-fidelity/commit/c74d1168733795aac523ba8ceb33020f2f41911e))
+* Improve path traversal prevention in repoFilesystemFacts.ts ([f65f595](https://github.com/zotoio/x-fidelity/commit/f65f59532683e7a8e392e8bcd259869b8fe2f006))
+* **schema:** fix schema validation and incorrect default rule code in setupEngine ([0a3c65c](https://github.com/zotoio/x-fidelity/commit/0a3c65ce5d0873ec1b3e679ac343ae91e6c0e463))
+* update import statement for RuleConfigSchema ([a658127](https://github.com/zotoio/x-fidelity/commit/a6581272708bcf77a37040c1fb0a6d0411d29a36))
+
+
+### Features
+
+* Add new types for IsBlacklistedParams and isWhitelistedParams ([2c43c82](https://github.com/zotoio/x-fidelity/commit/2c43c822f5dbeeb8f10fcf157886fe607e451fe3))
+* Update archetype typedef and jsonschema to validate semver strings ([2bba2b1](https://github.com/zotoio/x-fidelity/commit/2bba2b15a66f0937609b04815b029ff181f86ccf))
+
 ## [2.12.1](https://github.com/zotoio/x-fidelity/compare/v2.12.0...v2.12.1) (2024-08-25)
 
 

package/dist/archetypes/java-microservice.json

@@ -17,7 +17,7 @@
     ],
     "config": {
         "minimumDependencyVersions": {
-            "spring-boot-starter": "^2.5.0",
+            "springbootstarter": ">2.5.0",
             "spring-boot-starter-web": "^2.5.0"
         },
         "standardStructure": {

package/dist/archetypes/node-fullstack.json

@@ -21,11 +21,12 @@
     ],
     "config": {
         "minimumDependencyVersions": {
-            "@types/react": "^17.0.0",
-            "react": "^17.0.0",
-            "@yarnpkg/lockfile": "^1.2.0",
-            "commander": "^2.0.0",
-            "nodemon": "^3.9.0"
+            "@types/react": ">=18.0.0",
+            "react": "~17.0.0",
+            "@yarnpkg/lockfile": "<1.2.0",
+            "commander": ">=2.0.0 <13.0.0",
+            "nodemon": ">4.9.0",
+            "@colors/colors": "1.7.0 || 1.6.0"
         },
         "standardStructure": {
             "app": {

package/dist/core/engine/engineSetup.js

@@ -34,7 +34,7 @@ function setupEngine(params) {
         // Add rules to engine
         logger_1.logger.info(`=== loading json rules..`);
         const config = yield configManager_1.ConfigManager.getConfig({ archetype, logPrefix: executionLogPrefix });
-        logger_1.logger.debug(config.rules);
+        logger_1.logger.debug(`rules loaded: ${config.rules}`);
         const addedRules = new Set();
         config.rules.forEach((rule) => {
             try {
@@ -61,19 +61,6 @@ function setupEngine(params) {
                 logger_1.logger.error(e.message);
             }
         });
-        if (addedRules.size === 0) {
-            logger_1.logger.info('No valid rules were added. Adding default rules.');
-            engine.addRule({
-                name: 'default-rule-1',
-                conditions: { all: [] },
-                event: { type: 'warning', params: { message: 'Default rule 1 triggered' } }
-            });
-            engine.addRule({
-                name: 'default-rule-2',
-                conditions: { all: [] },
-                event: { type: 'warning', params: { message: 'Default rule 2 triggered' } }
-            });
-        }
         engine.on('success', (_a) => __awaiter(this, [_a], void 0, function* ({ type, params }) {
             if (type === 'warning') {
                 logger_1.logger.warn(`warning detected: ${JSON.stringify(params)}`);

package/dist/core/engine/engineSetup.test.js

@@ -83,31 +83,6 @@ describe('setupEngine', () => {
         expect(mockOn).toHaveBeenCalledTimes(1);
         expect(engine).toBeDefined();
     }));
-    it('should handle errors when loading rules and add default rules', () => __awaiter(void 0, void 0, void 0, function* () {
-        const mockAddRule = jest.fn();
-        json_rules_engine_1.Engine.mockImplementation(() => ({
-            addOperator: jest.fn(),
-            addRule: mockAddRule,
-            addFact: jest.fn(),
-            on: jest.fn()
-        }));
-        configManager_1.ConfigManager.getConfig.mockResolvedValue({
-            archetype: mockArchetypeConfig,
-            rules: [
-                undefined,
-                { name: undefined },
-                { name: 'invalidRule', conditions: null }
-            ],
-            cliOptions: {}
-        });
-        yield (0, engineSetup_1.setupEngine)(mockParams);
-        expect(logger_1.logger.error).toHaveBeenCalledWith('Invalid rule configuration: rule or rule name is undefined');
-        expect(logger_1.logger.error).toHaveBeenCalledWith('Invalid rule configuration: rule or rule name is undefined');
-        expect(logger_1.logger.error).toHaveBeenCalledWith('Error loading rule: invalidRule');
-        expect(logger_1.logger.info).toHaveBeenCalledWith('No valid rules were added. Adding default rules.');
-        expect(mockAddRule).toHaveBeenCalledWith(expect.objectContaining({ name: 'default-rule-1' }));
-        expect(mockAddRule).toHaveBeenCalledWith(expect.objectContaining({ name: 'default-rule-2' }));
-    }));
     it('should set up event listeners for success events', () => __awaiter(void 0, void 0, void 0, function* () {
         const mockOn = jest.fn();
         json_rules_engine_1.Engine.mockImplementation(() => ({

package/dist/facts/repoDependencyFacts.js

@@ -214,28 +214,37 @@ function repoDependencyAnalysis(params, almanac) {
 function semverValid(installed, required) {
     // Remove potential @namespace from installed version
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    const installedVersion = installed.includes('@') ? installed.split('@').pop() : installed;
-    if (!required || !installedVersion) {
+    installed = installed.includes('@') ? installed.split('@').pop() : installed;
+    if (!installed || !required) {
         return true;
     }
+    // ensure that both inputs are now valid semver or range strings
+    if (!semver.valid(installed) && !semver.validRange(installed)) {
+        logger_1.logger.error(`semverValid: invalid installed version or range: ${installed}`);
+        return false;
+    }
+    if (!semver.valid(required) && !semver.validRange(required)) {
+        logger_1.logger.error(`semverValid: invalid required version or range: ${required}`);
+        return false;
+    }
     // If 'installed' is a single version and 'required' is a range
     if (semver.valid(installed) && semver.validRange(required)) {
-        logger_1.logger.debug('range vs version');
+        logger_1.logger.info('range vs version');
         return semver.satisfies(installed, required);
     }
     // If 'required' is a single version and 'installed' is a range
     if (semver.valid(required) && semver.validRange(installed)) {
-        logger_1.logger.debug('version vs range');
+        logger_1.logger.info('version vs range');
         return semver.satisfies(required, installed);
     }
     // If both are single versions, simply compare them
     if (semver.valid(required) && semver.valid(installed)) {
-        logger_1.logger.debug('version vs version');
+        logger_1.logger.info('version vs version');
         return semver.gt(installed, required);
     }
     // If both are ranges, check if they intersect
     if (semver.validRange(required) && semver.validRange(installed)) {
-        logger_1.logger.debug('range vs range');
+        logger_1.logger.info('range vs range');
         return semver.intersects(required, installed);
     }
     return false;

package/dist/facts/repoDependencyFacts.test.js

@@ -38,6 +38,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const repoDependencyFacts = __importStar(require("./repoDependencyFacts"));
 const child_process_1 = require("child_process");
 const fs_1 = __importDefault(require("fs"));
+const repoDependencyFacts_1 = require("./repoDependencyFacts");
 jest.mock('child_process');
 jest.mock('fs');
 jest.mock('../utils/logger');
@@ -142,28 +143,70 @@ describe('repoDependencyFacts', () => {
     });
     describe('semverValid', () => {
         it('should return true for valid version comparisons', () => {
-            expect(repoDependencyFacts.semverValid('2.0.0', '^1.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('1.5.0', '1.0.0 - 2.0.0')).toBe(true);
-            expect(repoDependencyFacts.semverValid('1.0.0', '1.0.0')).toBe(true);
-            expect(repoDependencyFacts.semverValid('2.0.0', '>=1.0.0')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('2.0.0', '^1.0.0')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('1.5.0', '1.0.0 - 2.0.0')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.0.0', '1.0.0')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('2.0.0', '>=1.0.0')).toBe(true);
         });
         it('should return false for invalid version comparisons', () => {
-            expect(repoDependencyFacts.semverValid('1.0.0', '^2.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('3.0.0', '1.0.0 - 2.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('0.9.0', '>=1.0.0')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('1.0.0', '^2.0.0')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('3.0.0', '1.0.0 - 2.0.0')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('0.9.0', '>=1.0.0')).toBe(false);
         });
         it('should handle complex version ranges', () => {
-            expect(repoDependencyFacts.semverValid('1.2.3', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
-            expect(repoDependencyFacts.semverValid('2.5.0', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
-            expect(repoDependencyFacts.semverValid('5.5.5', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
-            expect(repoDependencyFacts.semverValid('8.0.0', '1.x || >=9.5.0 || 5.0.0 - 7.2.3')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('2.5.0', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('5.5.5', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('8.0.0', '1.x || >=9.5.0 || 5.0.0 - 7.2.3')).toBe(false);
+        });
+        it('should handle caret ranges', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '^1.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.3.0', '^1.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('2.0.0', '^1.2.3')).toBe(false);
+        });
+        it('should handle tilde ranges', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '~1.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.9', '~1.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.3.0', '~1.2.3')).toBe(false);
+        });
+        it('should handle x-ranges', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '1.2.x')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.9', '1.2.x')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.3.0', '1.2.x')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '1.x')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.3.0', '1.x')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('2.0.0', '1.x')).toBe(false);
+        });
+        it('should handle star ranges', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '*')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('2.0.0', '*')).toBe(true);
+        });
+        it('should handle greater than and less than ranges', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('2.0.0', '>1.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '>1.2.3')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.2', '<1.2.3')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '<1.2.3')).toBe(false);
+        });
+        it('should handle AND ranges', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '>1.2.2 <1.2.4')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.4', '>1.2.2 <1.2.4')).toBe(false);
+        });
+        it('should handle OR ranges', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3', '1.2.3 || 1.2.4')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.4', '1.2.3 || 1.2.4')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.5', '1.2.3 || 1.2.4')).toBe(false);
+        });
+        it('should handle pre-release versions', () => {
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3-alpha', '>=1.2.3-alpha')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.3-beta', '>=1.2.3-alpha')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('1.2.2', '>=1.2.3-alpha')).toBe(false);
         });
         it('should return true for empty strings', () => {
-            expect(repoDependencyFacts.semverValid('', '')).toBe(true);
+            expect((0, repoDependencyFacts_1.semverValid)('', '')).toBe(true);
         });
         it('should return false for invalid input', () => {
-            expect(repoDependencyFacts.semverValid('not-a-version', '1.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('1.0.0', 'not-a-range')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('not-a-version', '1.0.0')).toBe(false);
+            expect((0, repoDependencyFacts_1.semverValid)('1.0.0', 'not-a-range')).toBe(false);
         });
     });
 });

package/dist/facts/repoFilesystemFacts.js

@@ -39,13 +39,13 @@ function collectRepoFileData(repoPath, archetypeConfig) {
             logger_1.logger.debug(`checking file: ${filePath}`);
             const stats = yield fs_1.default.promises.lstat(filePath);
             if (stats.isDirectory()) {
-                if (!isBlacklisted(filePath, archetypeConfig.config.blacklistPatterns)) {
+                if (!isBlacklisted({ filePath, repoPath, blacklistPatterns: archetypeConfig.config.blacklistPatterns })) {
                     const dirFilesData = yield collectRepoFileData(filePath, archetypeConfig);
                     filesData.push(...dirFilesData);
                 }
             }
             else {
-                if (!isBlacklisted(filePath, archetypeConfig.config.blacklistPatterns) && isWhitelisted(filePath, archetypeConfig.config.whitelistPatterns)) {
+                if (!isBlacklisted({ filePath, repoPath, blacklistPatterns: archetypeConfig.config.blacklistPatterns }) && isWhitelisted({ filePath, repoPath, whitelistPatterns: archetypeConfig.config.whitelistPatterns })) {
                     logger_1.logger.debug(`adding file: ${filePath}`);
                     const fileData = yield parseFile(filePath);
                     filesData.push(fileData);
@@ -55,21 +55,33 @@ function collectRepoFileData(repoPath, archetypeConfig) {
         return filesData;
     });
 }
-function isBlacklisted(filePath, blacklistPatterns) {
+function isBlacklisted({ filePath, repoPath, blacklistPatterns }) {
     logger_1.logger.debug(`checking blacklist for file: ${filePath}`);
+    const normalizedPath = path_1.default.normalize(filePath);
+    const normalizedRepoPath = path_1.default.normalize(repoPath);
+    if (!normalizedPath.startsWith(normalizedRepoPath)) {
+        logger_1.logger.warn(`Potential path traversal attempt detected: ${filePath}`);
+        return true;
+    }
     for (const pattern of blacklistPatterns) {
-        if (new RegExp(pattern).test(filePath)) {
-            logger_1.logger.debug(`skipping blacklisted file: ${filePath} with pattern: ${pattern}`);
+        if (new RegExp(pattern).test(normalizedPath)) {
+            logger_1.logger.debug(`skipping blacklisted file: ${normalizedPath} with pattern: ${pattern}`);
             return true;
         }
     }
     return false;
 }
-function isWhitelisted(filePath, whitelistPatterns) {
+function isWhitelisted({ filePath, repoPath, whitelistPatterns }) {
     logger_1.logger.debug(`checking whitelist for file: ${filePath}`);
+    const normalizedPath = path_1.default.normalize(filePath);
+    const normalizedRepoPath = path_1.default.normalize(repoPath);
+    if (!normalizedPath.startsWith(normalizedRepoPath)) {
+        logger_1.logger.warn(`Potential path traversal attempt detected: ${filePath}`);
+        return false;
+    }
     for (const pattern of whitelistPatterns) {
-        if (new RegExp(pattern).test(filePath)) {
-            logger_1.logger.debug(`allowing file: ${filePath} with pattern: ${pattern}`);
+        if (new RegExp(pattern).test(normalizedPath)) {
+            logger_1.logger.debug(`allowing file: ${normalizedPath} with pattern: ${pattern}`);
             return true;
         }
     }

package/dist/facts/repoFilesystemFacts.test.js

@@ -60,22 +60,26 @@ describe('File operations', () => {
     });
     describe('isBlacklisted', () => {
         it('should return true if file path matches any blacklist pattern', () => {
-            const filePath = '/node_modules/index.js';
-            expect((0, repoFilesystemFacts_1.isBlacklisted)(filePath, mockArchetypeConfig.config.blacklistPatterns)).toBe(true);
+            const filePath = '/test/repo/node_modules/index.js';
+            const repoPath = '/test/repo';
+            expect((0, repoFilesystemFacts_1.isBlacklisted)({ filePath, repoPath, blacklistPatterns: mockArchetypeConfig.config.blacklistPatterns })).toBe(true);
         });
         it('should return false if file path does not match any blacklist pattern', () => {
-            const filePath = 'src/index.js';
-            expect((0, repoFilesystemFacts_1.isBlacklisted)(filePath, mockArchetypeConfig.config.blacklistPatterns)).toBe(false);
+            const filePath = '/test/repo/src/index.js';
+            const repoPath = '/test/repo';
+            expect((0, repoFilesystemFacts_1.isBlacklisted)({ filePath, repoPath, blacklistPatterns: mockArchetypeConfig.config.blacklistPatterns })).toBe(false);
         });
     });
     describe('isWhitelisted', () => {
         it('should return true if file path matches any whitelist pattern', () => {
-            const filePath = '/src/index.js';
-            expect((0, repoFilesystemFacts_1.isWhitelisted)(filePath, mockArchetypeConfig.config.whitelistPatterns)).toBe(true);
+            const filePath = '/test/repo/src/index.js';
+            const repoPath = '/test/repo';
+            expect((0, repoFilesystemFacts_1.isWhitelisted)({ filePath, repoPath, whitelistPatterns: mockArchetypeConfig.config.whitelistPatterns })).toBe(true);
         });
         it('should return false if file path does not match any whitelist pattern', () => {
-            const filePath = 'build/index.txt';
-            expect((0, repoFilesystemFacts_1.isWhitelisted)(filePath, mockArchetypeConfig.config.whitelistPatterns)).toBe(false);
+            const filePath = '/test/repo/build/index.txt';
+            const repoPath = '/test/repo';
+            expect((0, repoFilesystemFacts_1.isWhitelisted)({ filePath, repoPath, whitelistPatterns: mockArchetypeConfig.config.whitelistPatterns })).toBe(false);
         });
     });
 });

package/dist/operators/outdatedFramework.js

@@ -8,7 +8,7 @@ const outdatedFramework = {
         var _a;
         let result = false;
         try {
-            logger_1.logger.debug(`outdatedFramework: processing ${repoDependencyAnalysis}`);
+            logger_1.logger.debug(`outdatedFramework: processing ${JSON.stringify(repoDependencyAnalysis)}`);
             if (((_a = repoDependencyAnalysis === null || repoDependencyAnalysis === void 0 ? void 0 : repoDependencyAnalysis.result) === null || _a === void 0 ? void 0 : _a.length) > 0) {
                 return true;
             }

package/dist/server/configServer.js

@@ -27,7 +27,7 @@ const validateGithubWebhook_1 = require("./middleware/validateGithubWebhook");
 const chokidar_1 = __importDefault(require("chokidar"));
 const cacheManager_1 = require("./cacheManager");
 const SHARED_SECRET = process.env.XFI_SHARED_SECRET;
-const maskedSecret = SHARED_SECRET ? `${SHARED_SECRET.substring(0, 4)}****${SHARED_SECRET.substring(SHARED_SECRET.length - 4)}` : 'not set';
+const maskedSecret = SHARED_SECRET ? `${SHARED_SECRET.substring(0, 1)}****${SHARED_SECRET.substring(SHARED_SECRET.length - 1)}` : 'not set';
 logger_1.logger.info(`Shared secret is ${maskedSecret}`);
 const app = (0, express_1.default)();
 // Add security headers

package/dist/utils/jsonSchemas.js

@@ -3,10 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateRule = exports.validateArchetype = void 0;
+exports.validateRule = exports.validateArchetype = exports.validateRuleSchema = exports.validateArchetypeSchema = void 0;
 const ajv_1 = __importDefault(require("ajv"));
 const logger_1 = require("./logger");
+const semver_1 = __importDefault(require("semver"));
 const ajv = new ajv_1.default();
+ajv.addFormat("semverPattern", {
+    type: "string",
+    validate: (x) => semver_1.default.valid(x) !== null && semver_1.default.validRange(x) !== null
+});
 const archetypeSchema = {
     type: 'object',
     properties: {
@@ -19,13 +24,19 @@ const archetypeSchema = {
             properties: {
                 minimumDependencyVersions: {
                     type: 'object',
+                    properties: {
+                        '^.*$': {
+                            type: 'string',
+                            format: 'semverPattern'
+                        }
+                    },
                     minProperties: 1,
+                    additionalProperties: true,
                     required: []
                 },
                 standardStructure: {
                     type: 'object',
                     minProperties: 1,
-                    required: []
                 },
                 blacklistPatterns: {
                     type: 'array',
@@ -42,7 +53,7 @@ const archetypeSchema = {
             additionalProperties: true
         }
     },
-    required: ['rules', 'operators', 'facts', 'config'],
+    required: ['name', 'rules', 'operators', 'facts', 'config'],
     additionalProperties: false
 };
 const ruleSchema = {
@@ -71,8 +82,8 @@ const ruleSchema = {
     },
     required: ['name', 'conditions', 'event']
 };
-const validateArchetypeSchema = ajv.compile(archetypeSchema);
-const validateRuleSchema = ajv.compile(ruleSchema);
+exports.validateArchetypeSchema = ajv.compile(archetypeSchema);
+exports.validateRuleSchema = ajv.compile(ruleSchema);
 // Helper function to log validation errors
 const logValidationErrors = (errors) => {
     if (errors) {
@@ -83,17 +94,17 @@ const logValidationErrors = (errors) => {
 };
 // Wrap the validate functions to log errors
 const validateArchetype = (data) => {
-    const isValid = validateArchetypeSchema(data);
+    const isValid = (0, exports.validateArchetypeSchema)(data);
     if (!isValid) {
-        logValidationErrors(validateArchetypeSchema.errors);
+        logValidationErrors(exports.validateArchetypeSchema.errors);
     }
     return isValid;
 };
 exports.validateArchetype = validateArchetype;
 const validateRule = (data) => {
-    const isValid = validateRuleSchema(data);
+    const isValid = (0, exports.validateRuleSchema)(data);
     if (!isValid) {
-        logValidationErrors(validateRuleSchema.errors);
+        logValidationErrors(exports.validateRuleSchema.errors);
     }
     return isValid;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "x-fidelity",
-  "version": "2.12.1",
+  "version": "2.13.1",
   "description": "cli for opinionated framework adherence checks",
   "main": "dist/xfidelity",
   "bin": {

package/src/archetypes/java-microservice.json

@@ -17,7 +17,7 @@
     ],
     "config": {
         "minimumDependencyVersions": {
-            "spring-boot-starter": "^2.5.0",
+            "springbootstarter": ">2.5.0",
             "spring-boot-starter-web": "^2.5.0"
         },
         "standardStructure": {

package/src/archetypes/node-fullstack.json

@@ -21,11 +21,12 @@
     ],
     "config": {
         "minimumDependencyVersions": {
-            "@types/react": "^17.0.0",
-            "react": "^17.0.0",
-            "@yarnpkg/lockfile": "^1.2.0",
-            "commander": "^2.0.0",
-            "nodemon": "^3.9.0"
+            "@types/react": ">=18.0.0",
+            "react": "~17.0.0",
+            "@yarnpkg/lockfile": "<1.2.0",
+            "commander": ">=2.0.0 <13.0.0",
+            "nodemon": ">4.9.0",
+            "@colors/colors": "1.7.0 || 1.6.0"
         },
         "standardStructure": {
             "app": {

package/src/core/engine/engineSetup.test.ts

@@ -83,35 +83,6 @@ describe('setupEngine', () => {
         expect(engine).toBeDefined();
     });
 
-    it('should handle errors when loading rules and add default rules', async () => {
-        const mockAddRule = jest.fn();
-        (Engine as jest.Mock).mockImplementation(() => ({
-            addOperator: jest.fn(),
-            addRule: mockAddRule,
-            addFact: jest.fn(),
-            on: jest.fn()
-        }));
-
-        (ConfigManager.getConfig as jest.Mock).mockResolvedValue({
-            archetype: mockArchetypeConfig,
-            rules: [
-                undefined,
-                { name: undefined },
-                { name: 'invalidRule', conditions: null }
-            ],
-            cliOptions: {}
-        });
-
-        await setupEngine(mockParams);
-
-        expect(logger.error).toHaveBeenCalledWith('Invalid rule configuration: rule or rule name is undefined');
-        expect(logger.error).toHaveBeenCalledWith('Invalid rule configuration: rule or rule name is undefined');
-        expect(logger.error).toHaveBeenCalledWith('Error loading rule: invalidRule');
-        expect(logger.info).toHaveBeenCalledWith('No valid rules were added. Adding default rules.');
-        expect(mockAddRule).toHaveBeenCalledWith(expect.objectContaining({ name: 'default-rule-1' }));
-        expect(mockAddRule).toHaveBeenCalledWith(expect.objectContaining({ name: 'default-rule-2' }));
-    });
-
     it('should set up event listeners for success events', async () => {
         const mockOn = jest.fn();
         (Engine as jest.Mock).mockImplementation(() => ({

package/src/core/engine/engineSetup.ts

@@ -25,7 +25,7 @@ export async function setupEngine(params: SetupEngineParams): Promise<Engine> {
     logger.info(`=== loading json rules..`);
     const config = await ConfigManager.getConfig({ archetype, logPrefix: executionLogPrefix });
         
-    logger.debug(config.rules);
+    logger.debug(`rules loaded: ${config.rules}`);
 
     const addedRules = new Set();
     config.rules.forEach((rule) => {
@@ -51,20 +51,6 @@ export async function setupEngine(params: SetupEngineParams): Promise<Engine> {
         }
     });
 
-    if (addedRules.size === 0) {
-        logger.info('No valid rules were added. Adding default rules.');
-        engine.addRule({
-            name: 'default-rule-1',
-            conditions: { all: [] },
-            event: { type: 'warning', params: { message: 'Default rule 1 triggered' } }
-        });
-        engine.addRule({
-            name: 'default-rule-2',
-            conditions: { all: [] },
-            event: { type: 'warning', params: { message: 'Default rule 2 triggered' } }
-        });
-    }
-
     engine.on('success', async ({ type, params }: Event) => {
         if (type === 'warning') {
             logger.warn(`warning detected: ${JSON.stringify(params)}`);

package/src/facts/repoDependencyFacts.test.ts

@@ -3,6 +3,7 @@ import { execSync } from 'child_process';
 import fs from 'fs';
 import { Almanac } from 'json-rules-engine';
 import { LocalDependencies, MinimumDepVersions } from '../types/typeDefs';
+import { semverValid } from './repoDependencyFacts';
 
 jest.mock('child_process');
 jest.mock('fs');
@@ -131,32 +132,82 @@ describe('repoDependencyFacts', () => {
 
     describe('semverValid', () => {
         it('should return true for valid version comparisons', () => {
-            expect(repoDependencyFacts.semverValid('2.0.0', '^1.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('1.5.0', '1.0.0 - 2.0.0')).toBe(true);
-            expect(repoDependencyFacts.semverValid('1.0.0', '1.0.0')).toBe(true);
-            expect(repoDependencyFacts.semverValid('2.0.0', '>=1.0.0')).toBe(true);
+            expect(semverValid('2.0.0', '^1.0.0')).toBe(false);
+            expect(semverValid('1.5.0', '1.0.0 - 2.0.0')).toBe(true);
+            expect(semverValid('1.0.0', '1.0.0')).toBe(true);
+            expect(semverValid('2.0.0', '>=1.0.0')).toBe(true);
         });
-
+    
         it('should return false for invalid version comparisons', () => {
-            expect(repoDependencyFacts.semverValid('1.0.0', '^2.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('3.0.0', '1.0.0 - 2.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('0.9.0', '>=1.0.0')).toBe(false);
+            expect(semverValid('1.0.0', '^2.0.0')).toBe(false);
+            expect(semverValid('3.0.0', '1.0.0 - 2.0.0')).toBe(false);
+            expect(semverValid('0.9.0', '>=1.0.0')).toBe(false);
         });
-
+    
         it('should handle complex version ranges', () => {
-            expect(repoDependencyFacts.semverValid('1.2.3', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
-            expect(repoDependencyFacts.semverValid('2.5.0', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
-            expect(repoDependencyFacts.semverValid('5.5.5', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
-            expect(repoDependencyFacts.semverValid('8.0.0', '1.x || >=9.5.0 || 5.0.0 - 7.2.3')).toBe(false);
+            expect(semverValid('1.2.3', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
+            expect(semverValid('2.5.0', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
+            expect(semverValid('5.5.5', '1.x || >=2.5.0 || 5.0.0 - 7.2.3')).toBe(true);
+            expect(semverValid('8.0.0', '1.x || >=9.5.0 || 5.0.0 - 7.2.3')).toBe(false);
         });
-
+    
+        it('should handle caret ranges', () => {
+            expect(semverValid('1.2.3', '^1.2.3')).toBe(true);
+            expect(semverValid('1.3.0', '^1.2.3')).toBe(true);
+            expect(semverValid('2.0.0', '^1.2.3')).toBe(false);
+        });
+    
+        it('should handle tilde ranges', () => {
+            expect(semverValid('1.2.3', '~1.2.3')).toBe(true);
+            expect(semverValid('1.2.9', '~1.2.3')).toBe(true);
+            expect(semverValid('1.3.0', '~1.2.3')).toBe(false);
+        });
+    
+        it('should handle x-ranges', () => {
+            expect(semverValid('1.2.3', '1.2.x')).toBe(true);
+            expect(semverValid('1.2.9', '1.2.x')).toBe(true);
+            expect(semverValid('1.3.0', '1.2.x')).toBe(false);
+            expect(semverValid('1.2.3', '1.x')).toBe(true);
+            expect(semverValid('1.3.0', '1.x')).toBe(true);
+            expect(semverValid('2.0.0', '1.x')).toBe(false);
+        });
+    
+        it('should handle star ranges', () => {
+            expect(semverValid('1.2.3', '*')).toBe(true);
+            expect(semverValid('2.0.0', '*')).toBe(true);
+        });
+    
+        it('should handle greater than and less than ranges', () => {
+            expect(semverValid('2.0.0', '>1.2.3')).toBe(true);
+            expect(semverValid('1.2.3', '>1.2.3')).toBe(false);
+            expect(semverValid('1.2.2', '<1.2.3')).toBe(true);
+            expect(semverValid('1.2.3', '<1.2.3')).toBe(false);
+        });
+    
+        it('should handle AND ranges', () => {
+            expect(semverValid('1.2.3', '>1.2.2 <1.2.4')).toBe(true);
+            expect(semverValid('1.2.4', '>1.2.2 <1.2.4')).toBe(false);
+        });
+    
+        it('should handle OR ranges', () => {
+            expect(semverValid('1.2.3', '1.2.3 || 1.2.4')).toBe(true);
+            expect(semverValid('1.2.4', '1.2.3 || 1.2.4')).toBe(true);
+            expect(semverValid('1.2.5', '1.2.3 || 1.2.4')).toBe(false);
+        });
+    
+        it('should handle pre-release versions', () => {
+            expect(semverValid('1.2.3-alpha', '>=1.2.3-alpha')).toBe(true);
+            expect(semverValid('1.2.3-beta', '>=1.2.3-alpha')).toBe(true);
+            expect(semverValid('1.2.2', '>=1.2.3-alpha')).toBe(false);
+        });
+    
         it('should return true for empty strings', () => {
-            expect(repoDependencyFacts.semverValid('', '')).toBe(true);
+            expect(semverValid('', '')).toBe(true);
         });
-
+    
         it('should return false for invalid input', () => {
-            expect(repoDependencyFacts.semverValid('not-a-version', '1.0.0')).toBe(false);
-            expect(repoDependencyFacts.semverValid('1.0.0', 'not-a-range')).toBe(false);
+            expect(semverValid('not-a-version', '1.0.0')).toBe(false);
+            expect(semverValid('1.0.0', 'not-a-range')).toBe(false);
         });
     });
 });

package/src/facts/repoDependencyFacts.ts

@@ -186,35 +186,46 @@ export async function repoDependencyAnalysis(params: any, almanac: Almanac) {
 }
 
 export function semverValid(installed: string, required: string): boolean {
+    
     // Remove potential @namespace from installed version
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    const installedVersion = installed.includes('@') ? installed.split('@').pop()! : installed;
-    
-    if (!required || !installedVersion) {
+    installed = installed.includes('@') ? installed.split('@').pop()! : installed;
+
+    if (!installed || !required) {
         return true;
     }
 
+    // ensure that both inputs are now valid semver or range strings
+    if (!semver.valid(installed) && !semver.validRange(installed)) {
+        logger.error(`semverValid: invalid installed version or range: ${installed}`);
+        return false;
+    }
+    if (!semver.valid(required) && !semver.validRange(required)) {
+        logger.error(`semverValid: invalid required version or range: ${required}`);
+        return false;
+    }
+
     // If 'installed' is a single version and 'required' is a range
     if (semver.valid(installed) && semver.validRange(required)) {
-        logger.debug('range vs version');
+        logger.info('range vs version');
         return semver.satisfies(installed, required);
     }
 
     // If 'required' is a single version and 'installed' is a range
     if (semver.valid(required) && semver.validRange(installed)) {
-        logger.debug('version vs range');
+        logger.info('version vs range');
         return semver.satisfies(required, installed);
     }
 
     // If both are single versions, simply compare them
     if (semver.valid(required) && semver.valid(installed)) {
-        logger.debug('version vs version');
+        logger.info('version vs version');
         return semver.gt(installed, required);
     }
 
     // If both are ranges, check if they intersect
     if (semver.validRange(required) && semver.validRange(installed)) {
-        logger.debug('range vs range');
+        logger.info('range vs range');
         return semver.intersects(required, installed);
     }
 

package/src/facts/repoFilesystemFacts.test.ts

@@ -60,25 +60,29 @@ describe('File operations', () => {
 
     describe('isBlacklisted', () => {
         it('should return true if file path matches any blacklist pattern', () => {
-            const filePath = '/node_modules/index.js';
-            expect(isBlacklisted(filePath, mockArchetypeConfig.config.blacklistPatterns)).toBe(true);
+            const filePath = '/test/repo/node_modules/index.js';
+            const repoPath = '/test/repo';
+            expect(isBlacklisted({ filePath, repoPath, blacklistPatterns: mockArchetypeConfig.config.blacklistPatterns })).toBe(true);
         });
 
         it('should return false if file path does not match any blacklist pattern', () => {
-            const filePath = 'src/index.js';
-            expect(isBlacklisted(filePath, mockArchetypeConfig.config.blacklistPatterns)).toBe(false);
+            const filePath = '/test/repo/src/index.js';
+            const repoPath = '/test/repo';
+            expect(isBlacklisted({ filePath, repoPath, blacklistPatterns: mockArchetypeConfig.config.blacklistPatterns })).toBe(false);
         });
     });
 
     describe('isWhitelisted', () => {
         it('should return true if file path matches any whitelist pattern', () => {
-            const filePath = '/src/index.js';
-            expect(isWhitelisted(filePath, mockArchetypeConfig.config.whitelistPatterns)).toBe(true);
+            const filePath = '/test/repo/src/index.js';
+            const repoPath = '/test/repo';
+            expect(isWhitelisted({ filePath, repoPath, whitelistPatterns: mockArchetypeConfig.config.whitelistPatterns })).toBe(true);
         });
 
         it('should return false if file path does not match any whitelist pattern', () => {
-            const filePath = 'build/index.txt';
-            expect(isWhitelisted(filePath, mockArchetypeConfig.config.whitelistPatterns)).toBe(false);
+            const filePath = '/test/repo/build/index.txt';
+            const repoPath = '/test/repo';
+            expect(isWhitelisted({ filePath, repoPath, whitelistPatterns: mockArchetypeConfig.config.whitelistPatterns })).toBe(false);
         });
     });
 });

package/src/facts/repoFilesystemFacts.ts

@@ -1,7 +1,7 @@
 import { logger } from '../utils/logger';
 import fs from 'fs';
 import path from 'path';
-import { ArchetypeConfig } from '../types/typeDefs';
+import { ArchetypeConfig, IsBlacklistedParams, isWhitelistedParams } from '../types/typeDefs';
 
 interface FileData {
     fileName: string;
@@ -29,12 +29,12 @@ async function collectRepoFileData(repoPath: string, archetypeConfig: ArchetypeC
         logger.debug(`checking file: ${filePath}`);
         const stats = await fs.promises.lstat(filePath);
         if (stats.isDirectory()) {
-            if (!isBlacklisted(filePath, archetypeConfig.config.blacklistPatterns)) {
+            if (!isBlacklisted({ filePath, repoPath, blacklistPatterns: archetypeConfig.config.blacklistPatterns })) {
                 const dirFilesData = await collectRepoFileData(filePath, archetypeConfig);
                 filesData.push(...dirFilesData);
             }    
         } else {
-            if (!isBlacklisted(filePath, archetypeConfig.config.blacklistPatterns) && isWhitelisted(filePath, archetypeConfig.config.whitelistPatterns)) {
+            if (!isBlacklisted({ filePath, repoPath, blacklistPatterns: archetypeConfig.config.blacklistPatterns }) && isWhitelisted({ filePath, repoPath, whitelistPatterns: archetypeConfig.config.whitelistPatterns })) {
                 logger.debug(`adding file: ${filePath}`);
                 const fileData = await parseFile(filePath);
                 filesData.push(fileData);
@@ -45,22 +45,38 @@ async function collectRepoFileData(repoPath: string, archetypeConfig: ArchetypeC
     return filesData;
 }
 
-function isBlacklisted(filePath: string, blacklistPatterns: string[]): boolean {
+function isBlacklisted({ filePath, repoPath, blacklistPatterns }: IsBlacklistedParams): boolean {
     logger.debug(`checking blacklist for file: ${filePath}`);
+    const normalizedPath = path.normalize(filePath);
+    const normalizedRepoPath = path.normalize(repoPath);
+    
+    if (!normalizedPath.startsWith(normalizedRepoPath)) {
+        logger.warn(`Potential path traversal attempt detected: ${filePath}`);
+        return true;
+    }
+    
     for (const pattern of blacklistPatterns) {
-        if (new RegExp(pattern).test(filePath)) {
-            logger.debug(`skipping blacklisted file: ${filePath} with pattern: ${pattern}`);
+        if (new RegExp(pattern).test(normalizedPath)) {
+            logger.debug(`skipping blacklisted file: ${normalizedPath} with pattern: ${pattern}`);
             return true;
         }
     }
     return false;
 }
 
-function isWhitelisted(filePath: string, whitelistPatterns: string[]): boolean {
+function isWhitelisted({ filePath, repoPath, whitelistPatterns }: isWhitelistedParams): boolean {
     logger.debug(`checking whitelist for file: ${filePath}`);
+    const normalizedPath = path.normalize(filePath);
+    const normalizedRepoPath = path.normalize(repoPath);
+    
+    if (!normalizedPath.startsWith(normalizedRepoPath)) {
+        logger.warn(`Potential path traversal attempt detected: ${filePath}`);
+        return false;
+    }
+    
     for (const pattern of whitelistPatterns) {
-        if (new RegExp(pattern).test(filePath)) {
-            logger.debug(`allowing file: ${filePath} with pattern: ${pattern}`);
+        if (new RegExp(pattern).test(normalizedPath)) {
+            logger.debug(`allowing file: ${normalizedPath} with pattern: ${pattern}`);
             return true;
         }
     }

package/src/operators/outdatedFramework.ts

@@ -7,7 +7,7 @@ const outdatedFramework: OperatorDefn = {
         let result = false;
         
         try {
-            logger.debug(`outdatedFramework: processing ${repoDependencyAnalysis}`);
+            logger.debug(`outdatedFramework: processing ${JSON.stringify(repoDependencyAnalysis)}`);
 
             if (repoDependencyAnalysis?.result?.length > 0) {
                 return true;

package/src/server/configServer.ts

@@ -23,7 +23,7 @@ import chokidar from 'chokidar';
 import { handleConfigChange } from './cacheManager';
 
 const SHARED_SECRET = process.env.XFI_SHARED_SECRET;
-const maskedSecret = SHARED_SECRET ? `${SHARED_SECRET.substring(0, 4)}****${SHARED_SECRET.substring(SHARED_SECRET.length - 4)}` : 'not set';
+const maskedSecret = SHARED_SECRET ? `${SHARED_SECRET.substring(0, 1)}****${SHARED_SECRET.substring(SHARED_SECRET.length - 1)}` : 'not set';
 logger.info(`Shared secret is ${maskedSecret}`);
 
 const app = express();

package/src/types/typeDefs.ts

@@ -1,5 +1,6 @@
 import { Engine, OperatorEvaluator } from 'json-rules-engine';
 import { FileData } from '../facts/repoFilesystemFacts';
+import { JSONSchemaType } from 'ajv';
 
 export type OperatorDefn = {
     name: string,
@@ -89,13 +90,16 @@ export interface ArchetypeConfig {
     operators: string[];
     facts: string[];
     config: {
-        minimumDependencyVersions: Record<string, string>;
+        minimumDependencyVersions: Record<string, string>; // This will be validated in the JSON schema
         standardStructure: Record<string, any>;
         blacklistPatterns: string[];
         whitelistPatterns: string[];
     };
 }
 
+// Add a new type for the JSON schema
+export type ArchetypeConfigSchema = JSONSchemaType<ArchetypeConfig>;
+
 export interface RuleConfig {
     name: string;
     conditions: {
@@ -107,6 +111,7 @@ export interface RuleConfig {
         params: Record<string, any>;
     };
 }
+export type RuleConfigSchema = JSONSchemaType<RuleConfig>;
 
 export interface OpenAIAnalysisParams {
     prompt: string;
@@ -217,3 +222,14 @@ export interface LoadExemptionsParams {
     archetype: string;
 }
 
+export interface IsBlacklistedParams { 
+    filePath: string; 
+    repoPath: string; 
+    blacklistPatterns: string[]; 
+}
+
+export interface isWhitelistedParams { 
+    filePath: string; 
+    repoPath: string; 
+    whitelistPatterns: string[]; 
+}

package/src/utils/jsonSchemas.ts

@@ -1,10 +1,16 @@
-import Ajv, { JSONSchemaType } from 'ajv';
+import Ajv from 'ajv';
 import { logger } from './logger';
-import { ArchetypeConfig, RuleConfig } from '../types/typeDefs';
+import { ArchetypeConfigSchema, RuleConfigSchema } from '../types/typeDefs';
+import semver from 'semver';
 
 const ajv = new Ajv();
 
-const archetypeSchema: JSONSchemaType<ArchetypeConfig> = {
+ajv.addFormat("semverPattern", {
+    type: "string",
+    validate: (x) => semver.valid(x) !== null && semver.validRange(x) !== null
+  })
+
+const archetypeSchema: ArchetypeConfigSchema = {
     type: 'object',
     properties: {
         name: { type: 'string' },
@@ -16,34 +22,40 @@ const archetypeSchema: JSONSchemaType<ArchetypeConfig> = {
             properties: {
                 minimumDependencyVersions: {
                     type: 'object',
+                    properties: {
+                        '^.*$': { 
+                            type: 'string',
+                            format: 'semverPattern'
+                        }
+                    },
                     minProperties: 1,
+                    additionalProperties: true,
                     required: []
                 },
                 standardStructure: {
                     type: 'object',
                     minProperties: 1,
-                    required: []
                 },
                 blacklistPatterns: {
                     type: 'array',
-                    items: { type: 'string'},
+                    items: { type: 'string' },
                     minItems: 1
                 },
                 whitelistPatterns: {
                     type: 'array',
-                    items: { type: 'string'},
+                    items: { type: 'string' },
                     minItems: 1
                 }
             },
-            required: ['minimumDependencyVersions', 'standardStructure', 'blacklistPatterns', 'whitelistPatterns'],
+            required: ['minimumDependencyVersions', 'standardStructure', 'blacklistPatterns', 'whitelistPatterns'] as const,
             additionalProperties: true
         }
     },
-    required: ['rules', 'operators', 'facts', 'config'],
+    required: ['name', 'rules', 'operators', 'facts', 'config'] as const,
     additionalProperties: false
-};
+} as const;
 
-const ruleSchema: JSONSchemaType<RuleConfig> = {
+const ruleSchema: RuleConfigSchema = {
     type: 'object',
     properties: {
         name: { type: 'string' },
@@ -70,8 +82,8 @@ const ruleSchema: JSONSchemaType<RuleConfig> = {
     required: ['name', 'conditions', 'event']
 };
 
-const validateArchetypeSchema = ajv.compile(archetypeSchema);
-const validateRuleSchema = ajv.compile(ruleSchema);
+export const validateArchetypeSchema = ajv.compile(archetypeSchema);
+export const validateRuleSchema = ajv.compile(ruleSchema);
 
 // Helper function to log validation errors
 const logValidationErrors = (errors: any[] | null | undefined) => {